Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: patch for qpopper remote exploit bug
From: lusky () EARTH VOYAGERONLINE NET (Jon Lusky)
Date: Sat, 27 Jun 1998 19:41:46 -0400


Andres Kroonmaa writes:
 Yeah, but what about systems that do _not_ have vsnprintf()?
 Using calls without bounds checks can be justified as long
 as it is made dead sure that no bounds would be ever exceeded.

 In current case, buffers overflow because qpopper accepts
 way too long commands. Easiest fix is to limit max command
 length at safer lower length during call to tgets()

Here is what I am using...  I changed the length passed to tgets,
and put some logging code in myfgets().


*** ../qpopper2.41beta1/popper.c        Wed Nov 19 16:20:38 1997
--- popper.c    Fri Jun 26 00:05:57 1998
***************
*** 46,51 ****
--- 46,61 ----
  char * strerror();
  #endif

+ #if HAVE_SYS_NETINET_IN_H
+ # include <sys/netinet/in.h>
+ #endif
+ #if HAVE_NETINET_IN_H
+ # include <netinet/in.h>
+ #endif
+
+ #include <netdb.h>
+ #include <arpa/inet.h>
+
  extern  state_table *   pop_get_command();
  int hangup = FALSE ;
  int catchSIGHUP();
***************
*** 55,60 ****
--- 65,72 ----

  FILE *debuglog;

+ #define MAXINPUTLEN 80
+
  /*
   *  popper: Handle a Post Office Protocol version 3 session
   */
***************
*** 123,129 ****
              pop_msg(&p, POP_FAILURE,"POP mailbox restoration failed.",p.myhost);
  #endif
              p.CurrentState = error;
!         } else if (tgets(message,MAXLINELEN,p.input,pop_timeout) == NULL) {
            if (poptimeout) {
                  if (p.xmitting) pop_xmit_clean(&p);
                pop_msg(&p,POP_FAILURE,"POP timeout",p.myhost);
--- 135,141 ----
              pop_msg(&p, POP_FAILURE,"POP mailbox restoration failed.",p.myhost);
  #endif
              p.CurrentState = error;
!         } else if (tgets(message,MAXINPUTLEN,p.input,pop_timeout) == NULL) {
            if (poptimeout) {
                  if (p.xmitting) pop_xmit_clean(&p);
                pop_msg(&p,POP_FAILURE,"POP timeout",p.myhost);
***************
*** 196,202 ****
--- 208,219 ----
        char ch;
        int nbytes;
        int found_nl = 0;
+       char msgbuf[500];
+       struct sockaddr_in      cs;
+       int                     sp = 0;
+       int                     len;

+
        cp = str;

        while (--size > 0) {
***************
*** 210,216 ****
            }
            ++cp;
        }
!
        if ((nbytes <= 0) || (cp == str)) {
            return(NULL);
        } else {
--- 227,240 ----
            }
            ++cp;
        }
!       if (size == 0) {
!               len = sizeof(cs);
!               if (getpeername(sp,(struct sockaddr *)&cs,&len) < 0){
!                       exit(1);
!               }
!               sprintf(msgbuf,"LONG POPPER COMMAND from %s - %s (truncated)",strdup(inet_ntoa(cs.sin_addr)),str);
!               syslog(LOG_ALERT,"%s",msgbuf);
!       }
        if ((nbytes <= 0) || (cp == str)) {
            return(NULL);
        } else {

--
   Jonathan R. Lusky    |         Voyager Online LLC
Senior Network Engineer |   (423) 209-2929 / (800) 864-0442
     lusky () vol com      | Nationwide 64K Dialup ISDN $26.95/mo
 http://www.hotrod.com  |         http://www.vol.com



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]